[bug report] NFC: st21nfca: Fix some skb memory leaks

All of lore.kernel.org
 help / color / mirror / Atom feed

* [bug report] NFC: st21nfca: Fix some skb memory leaks
@ 2018-09-28  9:28 Dan Carpenter
  0 siblings, 0 replies; only message in thread
From: Dan Carpenter @ 2018-09-28  9:28 UTC (permalink / raw)
  To: christophe.ricard; +Cc: linux-wireless

Hello Christophe Ricard,

The patch c490c557b67f: "NFC: st21nfca: Fix some skb memory leaks"
from Jan 25, 2015, leads to the following static checker warning:

	drivers/nfc/st21nfca/core.c:742 st21nfca_hci_complete_target_discovered()
	warn: 'nfcid_skb' was already freed.

drivers/nfc/st21nfca/core.c
   712                          /* NFC Forum Digital Protocol Table 44 */
   713                          if (target->sensf_res[0] == 0x01 &&
   714                              target->sensf_res[1] == 0xfe)
   715                                  target->supported_protocols =
   716                                                          NFC_PROTO_NFC_DEP_MASK;
   717                          else
   718                                  target->supported_protocols =
   719                                                          NFC_PROTO_FELICA_MASK;
   720                  } else {
   721                          kfree_skb(nfcid_skb);
                                ^^^^^^^^^^^^^^^^^^^^
Freed.

   722                          /* P2P in type A */
   723                          r = nfc_hci_get_param(hdev, ST21NFCA_RF_READER_F_GATE,
   724                                          ST21NFCA_RF_READER_F_NFCID1,
   725                                          &nfcid_skb);
                                                ^^^^^^^^^^
This is set to a different new skb on some error paths but if we return
-EADDRNOTAVAIL then it's still the same freed skb.

   726                          if (r < 0)
   727                                  goto exit;
                                        ^^^^^^^^^
We hit this goto and double free.

   728  
   729                          if (nfcid_skb->len > NFC_NFCID1_MAXSIZE) {
   730                                  r = -EPROTO;
   731                                  goto exit;
   732                          }
   733                          memcpy(target->sensf_res, nfcid_skb->data,
   734                                  nfcid_skb->len);
   735                          target->sensf_res_len = nfcid_skb->len;
   736                          target->supported_protocols = NFC_PROTO_NFC_DEP_MASK;
   737                  }
   738                  target->hci_reader_gate = ST21NFCA_RF_READER_F_GATE;
   739          }
   740          r = 1;
   741  exit:
   742          kfree_skb(nfcid_skb);
   743          return r;
   744  }

regards,
dan carpenter

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2018-09-28  9:28 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-09-28  9:28 [bug report] NFC: st21nfca: Fix some skb memory leaks Dan Carpenter

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.